The Board of Education provides coverage to eligible employees under fully insured group health plans. The Board has established the following fully insured group health plans:

A.

Medical Plan

B.

Prescription Drug Plan

C.

Dental Plan

D.

Vision Plan

The Board acknowledges that these group health plans are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule as amended by Title I of the Genetic Information Nondiscrimination Act (GINA). Fully insured group health plans generally are exempt from many of the requirements imposed upon self-funded group health plans.

The Board also acknowledges that these fully insured group health plans are required to comply with the HIPAA Security Rule. The group health plans, working together with the insurer, will ensure the confidentiality, integrity, and availability of the group health plansí electronic Protected Health Information in accordance with the HIPAA Security Rule.

The Board hereby appoints Director of Business & Finance to serve as the Security Official of the group health plans. All of the group health plansí functions are carried out by the insurer and the insurer owns and controls all of the equipment and media used to create, maintain, receive, and transmit electronic Protected Health Information relating to the group health plans. Accordingly, the insurer is in the best position to implement the technical, physical, and administrative safeguards required by the HIPAA Security Rule.

The Security Official does not have the ability to assess or adjust the insurerís policies related to the HIPPA Security Rule. Accordingly, unless otherwise determined by the Security Official, the group health plans shall utilize as administrative guidelines the insurerís own policies addressing security measures for the group health plansí electronic Protected Health Information.

The Department of Health and Human Services (HHS) has the authority to impose civil monetary penalties upon Covered Entities. HHS has not historically imposed these penalties directly upon individuals. Notwithstanding the foregoing, the Board agrees to indemnify and hold harmless the Privacy Official and Security Official in connection with the performance of their delegated duties for the group health plans, except to the extent that any liability is imposed as the result of intentional misconduct or gross negligence by the Privacy Official or Security Official as defined by law.

The fully insured group health plans established by the Board shall:

A.

Refrain from taking any retaliatory action against any individual for exercising any right under the plan, filing a complaint with Health and Human Services, participating in any proceeding under Part C of Title XI of the Social Security Act, or opposing any act or practice made unlawful by the Privacy Rule provided that the individual has a good faith belief that the practice opposed is unlawful.

B.

Not impose a requirement that participants waive their rights under the Privacy Rule as a condition of the provision of payment, enrollment in a health plan, or eligibility of benefits.

C.

If the plan document is amended in accordance with the Privacy Rule, the plan must retain a copy of the plan document as amended for six (6) years from the date of its amendment or the date when it last was in effect, whichever is later.

D.

Provide notification to affected individuals, the Secretary of the U.S. Department of Health and Human Services, and the media (when required), if the plan or one of its business associates discovers a breach of unsecured protected health information, in accordance with the requirements of HIPAA and its implementing regulations.

Fully insured group health plans established by the Board shall not create or receive protected health information, except for: